Finding a safe harbor: Defensible deletion and Federal Rule 37(e)

Charting a safe course through the rising tide of information is a constant battle for organizations. Not only are the costs and logistics associated with data storage more demanding than ever, but so are the potential legal consequences. For many companies, it seems that there are no ports of call from the stormy seas created by the data explosion and resulting e-discovery Bermuda Triangles.

Nevertheless, enterprises seeking to minimize litigation risks and reduce operating expenses can find refuge from these tempests in the Federal Rule of Civil Procedure 37(e) “safe harbor” provision. Rule 37(e) is designed to protect organizations from sanctions when their computer systems automatically destroy or delete email, archival data, and other electronically stored information (ESI). This provision typically applies when companies, acting in good faith, allow the routine and normal operation of their automated systems to overwrite or delete such data.

Despite the availability of Rule 37(e), few companies have actually invoked its protections. This is primarily because many organizations still do not have adequate information governance policies. In many instances, the key players responsible for defensible deletion—lawyers and IT professionals—do not collaborate. Without retention policies and cooperative teamwork, companies unwittingly delegate to their rank-and-file employees the duty to manage, archive and discard data. Allowing employees to unilaterally and arbitrarily manage a company’s information is generally a recipe for disaster.

Contrast that laissez-faire approach with an effective defensible deletion strategy. Such a strategy typically involves a comprehensive approach that an organization implements to reduce the storage costs and legal risks associated with the retention of ESI. It will retain information that is significant or that otherwise must be kept for business, legal or regulatory purposes—and ideally nothing else. Organizations that have done so have successfully invoked the Rule 37(e) safe harbor provision and avoided court sanctions. At the same time, these companies have reduced data storage costs since they have confidently deleted ESI that has little or no business value.

Procedures that enable a defensible deletion strategy

The first step to successfully implementing a defensible deletion plan is to ensure that the stakeholders in information—legal and IT—are cooperating with each other; i.e., that they are actually talking to one another. These departments must also work jointly with records managers and business units to decide what data must be kept and for what length of time. These other key principals in information governance must be involved if the organization is to create a workable defensible deletion strategy.

This is especially important for email. Email (and its destruction) generates more discovery motions than any other source of ESI. The answer to this problem, however, is not to keep all company email forever. This would cause an organization to needlessly increase its operating expenses while stockpiling useless information. Instead, legal and IT should come up with a plan to determine a timeframe for retaining email that is reasonable in relation to the company’s business, industry and litigation profile.

Cooperation between legal and IT naturally leads the organization to establish records retention policies, which carry out the key stakeholders’ decisions on data retention. Such policies should address the particular needs of an organization while balancing them against litigation requirements. Not only will that enable a company to reduce its costs by decreasing data proliferation, it will minimize a company’s litigation risks by allowing it to limit the amount of potentially relevant information available for current and follow-on litigation.

These defensible deletion goals are not overly idealistic. As an example of an organization that “got it right,” the recent case of Viramontes v. U.S. Bancorp is particularly instructive. In Viramontes, the defendant bank defeated a sanctions motion due to the effective procedures that enabled its defensible deletion strategy. The bank implemented a retention policy that kept emails for 90 days, after which the emails were overwritten and destroyed. The bank also promulgated a course of action whereby the retention policy would be promptly suspended on the occurrence of litigation or other triggering event. Because the bank followed reasonable, effective and good faith procedures, it reduced a stockpile of email and was protected from potential sanctions by the Rule 37(e) safe harbor provision.

As Viramontes shows, a company can get defensible deletion right. By faithfully observing a reasonable records retention policy and then modifying aspects of that policy when required, an organization can confidently delete superfluous data in a manner provided by law.

Technology: Key facilitator of defensible deletion

In the digital age, an essential aspect of a defensible deletion strategy is technology, particularly archiving software. When coupled with document retention policies, which it can help enforce, an archiving solution can significantly reduce data volume and related storage costs.

Among the many benefits of an archiving tool is data classification, which analyzes and tags ESI content as it is ingested into the archive pursuant to company retention protocols. By so doing, organizations can search for and retrieve data with greater efficiency. This will reduce expenses downstream when documents must be searched and analyzed in response to legal demands.

Another key aspect of an archiving product is deduplication technology, or single instance storage, which preserves only a master copy of each document. While the duplicates are eliminated, the associated metadata is retained. This provides an effective chain of custody and also allows the deduped copies to be restored and produced in litigation, if necessary. Storing only one copy of a document also frees up space on company servers for the retention of other materials and ultimately leads to decreased storage costs.

Conclusion

By implementing a defensible deletion strategy, organizations can actually reduce their data stockpiles and related storage costs. Moreover, they can reduce legal risks by invoking the protections of the Rule 37(e) safe harbor provision. Just like the defendant in Viramontes, an organization will more likely find a place of refuge from torrential digital age storms.